Banks all over the world have been shaken by the $81 million cyber theft from the Bangladesh central bank back in March.

Just last week, US regulators told banks to review their cybersecurity protections against fraudulent money transfers. The warnings suggest that US government and law enforcement agencies are concerned that recent attacks on banks in emerging-market economies could lead to losses for big US firms

How are hackers gaining access to banks?

According to CyberArk’s Vincent Goh, interviewed on CNBC last month, the most common way cyber criminals gain access to financial data is through spear phishing attacks, whereby ostensibly legitimate emails are sent to specific targets, tricking them into downloading malware that grants criminals access to their systems.

Countering the spear phishing threat is not just about the technology protecting a company, it’s also about processes: educating employees to not click on links that they are not familiar with. Bank employees use the Internet and are as hyper-connected as the average consumer or the staff of any other organization, and banks are really no different from other organizations when it comes to cyber risk.

Are banks spending enough money on security?

Goh says that traditionally, organizations have spent a lot on blocking and preventing, and not enough on monitoring and stopping attacks. You can watch the full interview here. And you can find out more about how staff awareness courses can help mitigate the risk posed by your own employees here.

Mismatched cyber policies

The SEC, which regulates the securities markets, has found some major exchanges, dark pools and clearing houses did not have cyber policies in place that matched the risks they faced.

“What we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also their policies and procedures are not tailored to their particular risks,” said SEC Chair Mary Jo White.

An essential part of any ISMS (information security management system) is conducting a risk assessment of your assets so that you can put the right controls in place to mitigate the specific risks you face.

As well as aligning these controls to your business objectives, you need to keep your ISMS documented so that employees can refer to them, should they need to. Plus, if you’re aligning your ISMS to a standard, such as ISO 27001, proper documentation is essential.

The ISO 27001 ISMS Documentation Toolkit contains pre-written documents authored by experts to assist you as you go about implementing your ISMS. Including a complete set of mandatory and supporting documentation, this toolkit comes with gap analysis tools, user guidelines, and 12 months of free updates and unlimited online drafting support.

Properly documented policies and procedures will strengthen your controls, and be a focal point when implementing information security best practice in your business.